Researchers have observed a new phishing campaign primarily targeting high-profile TikTok accounts belonging to influencers, brand consultants, production studios, and influencers’ managers.
Abnormal Security researchers who spotted the attacks, observed two activity peaks while observing the distribution of emails in this particular campaign, on October 2, 2021, and on November 1, 2021, so a new round will likely start in a couple of weeks.
You’ve got mail!
In some cases seen by Abnormal Security, the actors impersonate TikTok employees, threatening the recipient with imminent account deletion due to an alleged violation of the platform’s terms.
Another theme used in the emails is offering a ‘Verified’ badge that adds credibility and authenticity to the account.
TikTok ‘Verified’ badges give weight to the content posted by verified accounts and signal the platform’s algorithms to ramp up the exposure rates of posts from these accounts.
Using this bait for phishing is very effective as many people would be thrilled to receive an email offering them the chance to get a verification badge.
In both cases, the attackers provide their targets with a way to verify their accounts by clicking an embedded link.
However, they are instead redirected to a WhatsApp chat room where they’re welcomed by a scammer pretending to be a TikTok employee awaits.
The scammer asks for their email address, phone number, and one-time code required to bypass multi-factor authentication and reset the account’s password.
Account takeover or extortion?
It is unclear what the phishing actors aim for in this campaign, but it could be either an attempt to take over the targets’ accounts or to extort the account owners and force them to pay a ransom for giving them back control.
TikTok’s terms of service make it clear that if an account, especially one with many followers, violates its services, it will be permanently suspended or terminated.
This means that the actors can easily threaten to post something inappropriate, resulting in the deletion of a profile that its owner may have spent a lot of time and money to bring to its current form.
If you own and/or manage valuable social media accounts, make sure to backup all your content and data somewhere safe.
Also, you should always secure your account with two-factor authentication (2FA) or 2-step verification, as TikTok calls it, ideally with a hardware security key.
If you can only use the less secure SMS-based 2FA option, pick up a private number you’ve shared with nobody and use it only for this purpose.